CVE-2025-10181 identifies a stored Cross-Site Scripting (XSS) vulnerability in the Draft List plugin for WordPress, developed by dartiss. This vulnerability exists in all versions up to and including 2.6 due to insufficient sanitization and escaping of user-supplied input within the 'drafts' shortcode. Specifically, the plugin fails to properly neutralize input before embedding it into web pages, allowing authenticated users with contributor-level privileges or higher to inject arbitrary JavaScript code. When other users access pages containing the injected scripts, the malicious code executes in their browsers, potentially leading to session hijacking, defacement, or unauthorized actions performed with the victim's privileges. The vulnerability is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation) and has a CVSS 3.1 base score of 6.4, reflecting a medium severity level. Exploitation requires authentication but no user interaction, and the scope is changed (S:C) as the vulnerability can affect other users viewing the injected content. No public exploits have been reported yet, but the risk remains significant due to the common use of WordPress and the plugin in content management. The vulnerability impacts confidentiality and integrity but does not affect availability. The lack of patch links suggests that fixes may not yet be publicly available, emphasizing the need for immediate mitigation steps.

The primary impact of this vulnerability is the compromise of confidentiality and integrity within affected WordPress sites. Attackers with contributor-level access can inject malicious scripts that execute in the context of other users' browsers, potentially stealing session cookies, redirecting users to malicious sites, or performing unauthorized actions on behalf of victims. This can lead to account takeover, data leakage, defacement, or further compromise of the website. Since WordPress powers a significant portion of the web, and the Draft List plugin is used for managing drafts, websites relying on this plugin for editorial workflows are at risk. The vulnerability does not affect availability directly but can degrade user trust and site reputation. Organizations with multi-user WordPress environments, especially those with contributors or editors, are particularly vulnerable. The medium CVSS score reflects that while exploitation requires authentication, the ease of exploitation and potential for widespread impact on site users make this a notable threat.

1. Immediately restrict contributor-level and higher user permissions to trusted individuals until a patch is available. 2. Monitor and audit user-generated content, especially content using the 'drafts' shortcode, for suspicious scripts or unexpected HTML. 3. Implement Web Application Firewall (WAF) rules to detect and block common XSS payloads targeting the Draft List plugin. 4. Encourage users to update the Draft List plugin promptly once a security patch is released by the vendor. 5. As a temporary measure, disable or remove the 'drafts' shortcode usage if feasible to prevent exploitation. 6. Employ Content Security Policy (CSP) headers to restrict the execution of inline scripts and reduce the impact of injected scripts. 7. Educate site administrators and contributors about the risks of XSS and safe content practices. 8. Regularly review user roles and permissions to minimize the number of users with contributor-level access or higher. 9. Use security plugins that can scan for malicious code injections and alert administrators. 10. Backup site data frequently to enable recovery in case of compromise.